Been spending most of the day scrubbing away that vuln in my facility here.... now here's the fun part: imagine just how many embedded devices (most of which get orphaned from a software maintenance perspective the moment they hit the store shelves) are gonna have this flaw. There's been the discussion of crappy home broadband CPE...
Only a matter of time before someone fakes the certificate and breaks a "trusted" software update method, or heck... a dns explot + fake certificate = several million compromised payment card terminals. On Wed, Mar 5, 2014 at 4:58 PM, jim deleskie <[email protected]> wrote: > Doing some serious adjusting of my tinfoil today over his :) > > -jim > > > On Wed, Mar 5, 2014 at 5:03 PM, Jay Ashworth <[email protected]> wrote: > > > ----- Original Message ----- > > > From: "Leo Bicknell" <[email protected]> > > > > > On Mar 4, 2014, at 9:07 PM, Jay Ashworth <[email protected]> wrote: > > > > > > > Is this the *same* bug that just broke in Apple code last week? > > > > > > No, the Apple bug was the existence of an /extra/ "goto fail;". > > > > > > The GnuTLS bug was that it was /missing/ a "goto fail;". > > > > > > I'm figuring the same developer worked on both, and just put the line > > > in the wrong repository. :) > > > > Those who speculate that these bugs happened at the behest of the NSA > > would probably agree with you. > > > > Cheers, > > -- jra > > -- > > Jay R. Ashworth Baylink > > [email protected] > > Designer The Things I Think RFC > > 2100 > > Ashworth & Associates http://www.bcp38.info 2000 Land > > Rover DII > > St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 > > 1274 > > > > > -- -- Tom Morris, KG4CYX Mad Scientist and Operations Manager, WDNA-FM 88.9 Miami - Serious Jazz! 786-228-7087 151.820 Megacycles
